Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5352 Commits
32 Branches
297 Tags
164 MiB
Tree: d91964904c
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd91964904c'
${ noResults }
seaweedfs/weed/s3api/s3api_object_handlers_postp...

240 lines
6.6 KiB
Raw Normal View History

s3: add support for PostPolicy fix https://github.com/chrislusf/seaweedfs/issues/1426
4 years ago
refactor
4 years ago
s3: add support for PostPolicy fix https://github.com/chrislusf/seaweedfs/issues/1426
4 years ago
s3: escape object key if containing special characters fix https://github.com/chrislusf/seaweedfs/issues/1884
4 years ago
s3: add support for PostPolicy fix https://github.com/chrislusf/seaweedfs/issues/1426
4 years ago
refactoring
4 years ago
s3: add support for PostPolicy fix https://github.com/chrislusf/seaweedfs/issues/1426
4 years ago
  1. package s3api
  3. import (
  4. "bytes"
  5. "encoding/base64"
  6. "errors"
  7. "github.com/chrislusf/seaweedfs/weed/s3api/policy"
  8. "github.com/chrislusf/seaweedfs/weed/s3api/s3err"
  9. "github.com/dustin/go-humanize"
  10. "github.com/gorilla/mux"
  11. "io"
  12. "io/ioutil"
  13. "mime/multipart"
  14. "net/http"
  15. "net/url"
  16. "strings"
  17. )
  19. func (s3a *S3ApiServer) PostPolicyBucketHandler(w http.ResponseWriter, r *http.Request) {
  21. // https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-HTTPPOSTConstructPolicy.html
  22. // https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-post-example.html
  24. bucket := mux.Vars(r)["bucket"]
  26. reader, err := r.MultipartReader()
  27. if err != nil {
  28. writeErrorResponse(w, s3err.ErrMalformedPOSTRequest, r.URL)
  29. return
  30. }
  31. form, err := reader.ReadForm(int64(5 * humanize.MiByte))
  32. if err != nil {
  33. writeErrorResponse(w, s3err.ErrMalformedPOSTRequest, r.URL)
  34. return
  35. }
  36. defer form.RemoveAll()
  38. fileBody, fileName, fileSize, formValues, err := extractPostPolicyFormValues(form)
  39. if err != nil {
  40. writeErrorResponse(w, s3err.ErrMalformedPOSTRequest, r.URL)
  41. return
  42. }
  43. if fileBody == nil {
  44. writeErrorResponse(w, s3err.ErrPOSTFileRequired, r.URL)
  45. return
  46. }
  47. defer fileBody.Close()
  49. formValues.Set("Bucket", bucket)
  51. if fileName != "" && strings.Contains(formValues.Get("Key"), "${filename}") {
  52. formValues.Set("Key", strings.Replace(formValues.Get("Key"), "${filename}", fileName, -1))
  53. }
  54. object := formValues.Get("Key")
  56. successRedirect := formValues.Get("success_action_redirect")
  57. successStatus := formValues.Get("success_action_status")
  58. var redirectURL *url.URL
  59. if successRedirect != "" {
  60. redirectURL, err = url.Parse(successRedirect)
  61. if err != nil {
  62. writeErrorResponse(w, s3err.ErrMalformedPOSTRequest, r.URL)
  63. return
  64. }
  65. }
  67. // Verify policy signature.
  68. errCode := s3a.iam.doesPolicySignatureMatch(formValues)
  69. if errCode != s3err.ErrNone {
  70. writeErrorResponse(w, errCode, r.URL)
  71. return
  72. }
  74. policyBytes, err := base64.StdEncoding.DecodeString(formValues.Get("Policy"))
  75. if err != nil {
  76. writeErrorResponse(w, s3err.ErrMalformedPOSTRequest, r.URL)
  77. return
  78. }
  80. // Handle policy if it is set.
  81. if len(policyBytes) > 0 {
  83. postPolicyForm, err := policy.ParsePostPolicyForm(string(policyBytes))
  84. if err != nil {
  85. writeErrorResponse(w, s3err.ErrPostPolicyConditionInvalidFormat, r.URL)
  86. return
  87. }
  89. // Make sure formValues adhere to policy restrictions.
  90. if err = policy.CheckPostPolicy(formValues, postPolicyForm); err != nil {
  91. w.Header().Set("Location", r.URL.Path)
  92. w.WriteHeader(http.StatusTemporaryRedirect)
  93. return
  94. }
  96. // Ensure that the object size is within expected range, also the file size
  97. // should not exceed the maximum single Put size (5 GiB)
  98. lengthRange := postPolicyForm.Conditions.ContentLengthRange
  99. if lengthRange.Valid {
  100. if fileSize < lengthRange.Min {
  101. writeErrorResponse(w, s3err.ErrEntityTooSmall, r.URL)
  102. return
  103. }
  105. if fileSize > lengthRange.Max {
  106. writeErrorResponse(w, s3err.ErrEntityTooLarge, r.URL)
  107. return
  108. }
  109. }
  110. }
  112. uploadUrl := s3a.buildUploadUrl(bucket, object)
  114. etag, errCode := s3a.putToFiler(r, uploadUrl, fileBody)
  116. if errCode != s3err.ErrNone {
  117. writeErrorResponse(w, errCode, r.URL)
  118. return
  119. }
  121. if successRedirect != "" {
  122. // Replace raw query params..
  123. redirectURL.RawQuery = getRedirectPostRawQuery(bucket, object, etag)
  124. w.Header().Set("Location", redirectURL.String())
  125. writeResponse(w, http.StatusSeeOther, nil, mimeNone)
  126. return
  127. }
  129. setEtag(w, etag)
  131. // Decide what http response to send depending on success_action_status parameter
  132. switch successStatus {
  133. case "201":
  134. resp := encodeResponse(PostResponse{
  135. Bucket: bucket,
  136. Key: object,
  137. ETag: `"` + etag + `"`,
  138. Location: w.Header().Get("Location"),
  139. })
  140. writeResponse(w, http.StatusCreated, resp, mimeXML)
  141. case "200":
  142. writeResponse(w, http.StatusOK, nil, mimeNone)
  143. default:
  144. writeSuccessResponseEmpty(w)
  145. }
  147. }
  149. // Extract form fields and file data from a HTTP POST Policy
  150. func extractPostPolicyFormValues(form *multipart.Form) (filePart io.ReadCloser, fileName string, fileSize int64, formValues http.Header, err error) {
  151. /// HTML Form values
  152. fileName = ""
  154. // Canonicalize the form values into http.Header.
  155. formValues = make(http.Header)
  156. for k, v := range form.Value {
  157. formValues[http.CanonicalHeaderKey(k)] = v
  158. }
  160. // Validate form values.
  161. if err = validateFormFieldSize(formValues); err != nil {
  162. return nil, "", 0, nil, err
  163. }
  165. // this means that filename="" was not specified for file key and Go has
  166. // an ugly way of handling this situation. Refer here
  167. // https://golang.org/src/mime/multipart/formdata.go#L61
  168. if len(form.File) == 0 {
  169. var b = &bytes.Buffer{}
  170. for _, v := range formValues["File"] {
  171. b.WriteString(v)
  172. }
  173. fileSize = int64(b.Len())
  174. filePart = ioutil.NopCloser(b)
  175. return filePart, fileName, fileSize, formValues, nil
  176. }
  178. // Iterator until we find a valid File field and break
  179. for k, v := range form.File {
  180. canonicalFormName := http.CanonicalHeaderKey(k)
  181. if canonicalFormName == "File" {
  182. if len(v) == 0 {
  183. return nil, "", 0, nil, errors.New("Invalid arguments specified")
  184. }
  185. // Fetch fileHeader which has the uploaded file information
  186. fileHeader := v[0]
  187. // Set filename
  188. fileName = fileHeader.Filename
  189. // Open the uploaded part
  190. filePart, err = fileHeader.Open()
  191. if err != nil {
  192. return nil, "", 0, nil, err
  193. }
  194. // Compute file size
  195. fileSize, err = filePart.(io.Seeker).Seek(0, 2)
  196. if err != nil {
  197. return nil, "", 0, nil, err
  198. }
  199. // Reset Seek to the beginning
  200. _, err = filePart.(io.Seeker).Seek(0, 0)
  201. if err != nil {
  202. return nil, "", 0, nil, err
  203. }
  204. // File found and ready for reading
  205. break
  206. }
  207. }
  208. return filePart, fileName, fileSize, formValues, nil
  209. }
  211. // Validate form field size for s3 specification requirement.
  212. func validateFormFieldSize(formValues http.Header) error {
  213. // Iterate over form values
  214. for k := range formValues {
  215. // Check if value's field exceeds S3 limit
  216. if int64(len(formValues.Get(k))) > int64(1*humanize.MiByte) {
  217. return errors.New("Data size larger than expected")
  218. }
  219. }
  221. // Success.
  222. return nil
  223. }
  225. func getRedirectPostRawQuery(bucket, key, etag string) string {
  226. redirectValues := make(url.Values)
  227. redirectValues.Set("bucket", bucket)
  228. redirectValues.Set("key", key)
  229. redirectValues.Set("etag", "\""+etag+"\"")
  230. return redirectValues.Encode()
  231. }
  233. // Check to see if Policy is signed correctly.
  234. func (iam *IdentityAccessManagement) doesPolicySignatureMatch(formValues http.Header) s3err.ErrorCode {
  235. // For SignV2 - Signature field will be valid
  236. if _, ok := formValues["Signature"]; ok {
  237. return iam.doesPolicySignatureV2Match(formValues)
  238. }
  239. return iam.doesPolicySignatureV4Match(formValues)
  240. }